# # This file describes the security contexts to be applied to files # when the security policy is installed. The setfiles program # reads this file and labels files accordingly. # # Each specification has the form: # regexp [ -type ] ( context | <> ) # # By default, the regexp is an anchored match on both ends (i.e. a # caret (^) is prepended and a dollar sign ($) is appended automatically). # This default may be overridden by using .* at the beginning and/or # end of the regular expression. # # The optional type field specifies the file type as shown in the mode # field by ls, e.g. use -d to match only directories or -- to match only # regular files. # # The value of < may be used to indicate that matching files # should not be relabeled. # # The last matching specification is used. # # If there are multiple hard links to a file that match # different specifications and those specifications indicate # different security contexts, then a warning is displayed # but the file is still labeled based on the last matching # specification other than <>. # # Some of the files listed here get re-created during boot and therefore # need type transition rules to retain the correct type. These files are # listed here anyway so that if the setfiles program is used on a running # system it doesn't relabel them to something we don't want. An example of # this is /var/run/utmp. # # # The security context for all files not otherwise specified. # /.* system_u:object_r:file_t # # The root directory. # / system_u:object_r:root_t # # The policy configuration. # /ss_policy system_u:object_r:policy_config_t # # /var # /var(|/.*) system_u:object_r:var_t /var/cache/man(|/.*) system_u:object_r:catman_t /var/lib(|/.*) system_u:object_r:var_lib_t /var/lib/nfs(|/.*) system_u:object_r:var_lib_nfs_t /var/lock(|/.*) system_u:object_r:var_lock_t /var/tmp(|/.*) system_u:object_r:tmp_t /var/cache/httpd(|/.*) system_u:object_r:httpd_cache_t /var/log/httpd/(|/.*) system_u:object_r:httpd_log_files_t # # The superuser home directory. # /root(|/.*) system_u:object_r:sysadm_home_t /root/\.netscape(|/.*) system_u:object_r:sysadm_netscape_rw_t # # Other user home directories. # /home(|/.*) system_u:object_r:user_home_t /home/.*/\.netscape(|/.*) system_u:object_r:user_netscape_rw_t # # /bin # /bin(|/.*) system_u:object_r:bin_t /bin/login system_u:object_r:login_exec_t /bin/tcsh system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /bin/ash system_u:object_r:shell_exec_t /bin/su system_u:object_r:su_exec_t /bin/ls system_u:object_r:ls_exec_t /bin/mount system_u:object_r:mount_exec_t /bin/umount system_u:object_r:mount_exec_t /bin/ping system_u:object_r:ping_exec_t # # /boot # /boot(|/.*) system_u:object_r:boot_t # # /dev # /dev(|/.*) system_u:object_r:device_t /dev/null system_u:object_r:null_device_t /dev/zero system_u:object_r:zero_device_t /dev/console system_u:object_r:console_device_t /dev/(kmem|mem|port) system_u:object_r:memory_device_t /dev/random system_u:object_r:random_device_t /dev/urandom system_u:object_r:random_device_t /dev/[^/]*tty[^/]* system_u:object_r:tty_device_t /dev/vcs[^/]* system_u:object_r:tty_device_t /dev/tty system_u:object_r:devtty_t /dev/sd[^/]* system_u:object_r:fixed_disk_device_t /dev/hd[^/]* system_u:object_r:fixed_disk_device_t /dev/scd[^/]* system_u:object_r:removable_device_t /dev/fd[^/]* system_u:object_r:removable_device_t /dev/rtc system_u:object_r:clock_device_t /dev/initctl system_u:object_r:initctl_t /dev/log system_u:object_r:devlog_t /dev/printer system_u:object_r:printer_t /dev/psaux system_u:object_r:mouse_device_t /dev/.*mouse.* -c system_u:object_r:mouse_device_t /dev/input/.*mouse.* system_u:object_r:mouse_device_t /dev/gpmctl system_u:object_r:gpmctl_t /dev/ptmx system_u:object_r:ptmx_t /dev/sequencer system_u:object_r:misc_device_t /dev/dsp.* system_u:object_r:misc_device_t /dev/audio system_u:object_r:misc_device_t /dev/agpgart system_u:object_r:agp_device_t /dev/dri(|/.*) system_u:object_r:dri_device_t /dev/apm_bios system_u:object_r:apm_bios_t # # /etc # /etc(|/.*) system_u:object_r:etc_t /etc/rc.d/rc system_u:object_r:initrc_exec_t /etc/rc.d/boot system_u:object_r:initrc_exec_t /etc/rc.d/boot.local system_u:object_r:initrc_exec_t /etc/aliases system_u:object_r:etc_aliases_t /etc/aliases.db system_u:object_r:etc_aliases_t /etc/mail(|/.*) system_u:object_r:etc_mail_t /etc/modules.conf system_u:object_r:modules_conf_t /etc/fstab system_u:object_r:etc_runtime_t /etc/HOSTNAME system_u:object_r:etc_runtime_t /etc/ioctl.save system_u:object_r:etc_runtime_t /etc/mtab system_u:object_r:etc_runtime_t /etc/issue system_u:object_r:etc_runtime_t /etc/issue.net system_u:object_r:etc_runtime_t /etc/rc.config system_u:object_r:etc_runtime_t /etc/crontab system_u:object_r:system_crond_script_t /etc/cron.d(|/.*) system_u:object_r:system_crond_script_t /etc/security/cron_context.* system_u:object_r:cron_context_t /etc/ssh/primes system_u:object_r:sshd_key_t /etc/ssh/ssh_host_key system_u:object_r:sshd_key_t /etc/ssh/ssh_host_dsa_key system_u:object_r:sshd_key_t /etc/ssh/ssh_host_rsa_key system_u:object_r:sshd_key_t /etc/ld.so.cache system_u:object_r:ld_so_cache_t /etc/httpd system_u:object_r:httpd_config_t /etc/httpd/conf(|/.*) system_u:object_r:httpd_config_t /etc/httpd/modules system_u:object_r:httpd_modules_t /etc/resolv.conf system_u:object_r:resolv_conf_t /etc/adjtime system_u:object_r:adjtime_t # # /lib # /lib(|/.*) system_u:object_r:lib_t /lib/ld.*\.so.* system_u:object_r:ld_so_t /lib/lib.*\.so.* system_u:object_r:shlib_t /lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t /lib/security/.*\.so.* system_u:object_r:shlib_t /lib/modules(|/.*) system_u:object_r:modules_object_t /lib/modules/[^/]*/modules\..* system_u:object_r:modules_dep_t # # /sbin # /sbin(|/.*) system_u:object_r:sbin_t /sbin/ifconfig system_u:object_r:ifconfig_exec_t /sbin/depmod system_u:object_r:depmod_exec_t /sbin/modprobe system_u:object_r:modprobe_exec_t /sbin/insmod system_u:object_r:insmod_exec_t /sbin/insmod.static system_u:object_r:insmod_exec_t /sbin/rmmod system_u:object_r:rmmod_exec_t /sbin/init system_u:object_r:init_exec_t /sbin/sulogin system_u:object_r:sulogin_exec_t /sbin/.*getty system_u:object_r:getty_exec_t /sbin/syslogd system_u:object_r:syslogd_exec_t /sbin/klogd system_u:object_r:klogd_exec_t /sbin/portmap system_u:object_r:portmap_exec_t /sbin/rpc\..* system_u:object_r:rpcd_exec_t /sbin/cardmgr system_u:object_r:cardmgr_exec_t /sbin/fsck system_u:object_r:fsadm_exec_t /sbin/fsck\.ext2 system_u:object_r:fsadm_exec_t /sbin/fsck\.ext3 system_u:object_r:fsadm_exec_t /sbin/e2fsck system_u:object_r:fsadm_exec_t /sbin/e2label system_u:object_r:fsadm_exec_t /sbin/mkfs system_u:object_r:fsadm_exec_t /sbin/mke2fs system_u:object_r:fsadm_exec_t /sbin/mkfs.ext2 system_u:object_r:fsadm_exec_t /sbin/mkswap system_u:object_r:fsadm_exec_t /sbin/scsi_info system_u:object_r:fsadm_exec_t /sbin/sfdisk system_u:object_r:fsadm_exec_t /sbin/cfdisk system_u:object_r:fsadm_exec_t /sbin/fdisk system_u:object_r:fsadm_exec_t /sbin/tune2fs system_u:object_r:fsadm_exec_t /sbin/dumpe2fs system_u:object_r:fsadm_exec_t /sbin/swapon system_u:object_r:fsadm_exec_t /sbin/hdparm system_u:object_r:fsadm_exec_t /sbin/.*_chkpwd system_u:object_r:chkpwd_exec_t /sbin/hwclock system_u:object_r:hwclock_exec_t # # /tmp # /tmp(|/.*) system_u:object_r:tmp_t /tmp/orbit.* system_u:object_r:user_tmp_t /tmp/.ICE-unix(|/.*) system_u:object_r:user_tmp_t /tmp/.X11-unix(|/.*) system_u:object_r:user_xserver_tmp_t /tmp/.X0-lock system_u:object_r:user_xserver_tmp_t /tmp/.font-unix(|/.*) system_u:object_r:xfs_tmp_t # # /usr # /usr(|/.*) system_u:object_r:usr_t /usr/etc(|/.*) system_u:object_r:etc_t /usr/libexec(|/.*) system_u:object_r:lib_t /usr/src(|/.*) system_u:object_r:src_t /usr/tmp(|/.*) system_u:object_r:tmp_t /usr/man(|/.*) system_u:object_r:man_t # # /usr/bin # /usr/bin(|/.*) system_u:object_r:bin_t /usr/bin/lpr system_u:object_r:lpr_exec_t /usr/bin/lpq system_u:object_r:lpr_exec_t /usr/bin/lprm system_u:object_r:lpr_exec_t /usr/bin/crontab system_u:object_r:crontab_exec_t # # /usr/lib # /usr/lib(|/.*) system_u:object_r:lib_t /usr/lib/lib.*\.so.* system_u:object_r:shlib_t /usr/lib/[^/]*/lib.*\.so.* system_u:object_r:shlib_t /usr/lib/autofs/.*\.so system_u:object_r:shlib_t /usr/lib/perl5/man(|/.*) system_u:object_r:man_t /usr/lib/locale/.*/LC_.* system_u:object_r:writeable_t /usr/share/locale/.*/LC_.* system_u:object_r:writeable_t /usr/lib/apache(|/.*) system_u:object_r:httpd_modules_t # # /usr/.*glibc.*-linux/lib # /usr/.*glibc.*-linux/lib(|/.*) system_u:object_r:lib_t /usr/.*glibc.*-linux/lib/ld.*\.so.* system_u:object_r:ld_so_t /usr/.*glibc.*-linux/lib/lib.*\.so.* system_u:object_r:shlib_t # # /usr/.*linux-libc.*/lib # /usr/.*linux-libc.*/lib(|/.*) system_u:object_r:lib_t /usr/.*linux-libc.*/lib/ld.*\.so.* system_u:object_r:ld_so_t /usr/.*linux-libc.*/lib/lib.*\.so.* system_u:object_r:shlib_t # # /usr/local # /usr/local/etc(|/.*) system_u:object_r:etc_t /usr/local/src(|/.*) system_u:object_r:src_t /usr/local/sbin(|/.*) system_u:object_r:sbin_t /usr/local/man(|/.*) system_u:object_r:man_t # # /usr/local/bin # /usr/local/bin(|/.*) system_u:object_r:bin_t # # /usr/local/lib # /usr/local/lib(|/.*) system_u:object_r:lib_t # # /usr/sbin # /usr/sbin(|/.*) system_u:object_r:sbin_t /sbin/syslogd system_u:object_r:syslogd_exec_t /sbin/klogd system_u:object_r:klogd_exec_t /usr/sbin/apmd system_u:object_r:apmd_exec_t /usr/sbin/crond system_u:object_r:crond_exec_t /usr/sbin/atd system_u:object_r:atd_exec_t /usr/sbin/lpd system_u:object_r:lpd_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /usr/sbin/inetd system_u:object_r:inetd_exec_t /usr/sbin/tcpd system_u:object_r:tcpd_exec_t /usr/sbin/in\..*d system_u:object_r:inetd_child_exec_t /usr/sbin/sendmail system_u:object_r:sendmail_exec_t /usr/sbin/rpc\..* system_u:object_r:rpcd_exec_t /usr/sbin/gpm system_u:object_r:gpm_exec_t /usr/sbin/gnome-pty-helper system_u:object_r:gph_exec_t /usr/sbin/logrotate system_u:object_r:logrotate_exec_t /usr/sbin/httpd system_u:object_r:httpd_exec_t /usr/sbin/automount system_u:object_r:automount_exec_t /usr/sbin/suexec system_u:object_r:httpd_suexec_exec_t # # /usr/X11R6/bin # /usr/X11R6/bin(|/.*) system_u:object_r:bin_t /usr/X11R6/bin/xfs system_u:object_r:xfs_exec_t /usr/X11R6/bin/Xwrapper system_u:object_r:xserver_exec_t # # /usr/X11R6/lib # /usr/X11R6/lib(|/.*) system_u:object_r:lib_t /usr/X11R6/lib/lib.*\.so.* system_u:object_r:shlib_t # # /usr/X11R6/man # /usr/X11R6/man(|/.*) system_u:object_r:man_t # # /usr/kerberos # /usr/kerberos/bin(|/.*) system_u:object_r:bin_t /usr/kerberos/sbin(|/.*) system_u:object_r:sbin_t /usr/kerberos/lib(|/.*) system_u:object_r:lib_t /usr/kerberos/lib/lib.*\.so.* system_u:object_r:shlib_t # # /usr/local/selinux # /usr/local/selinux/bin(|/.*) system_u:object_r:bin_t /usr/local/selinux/sbin(|/.*) system_u:object_r:bin_t /usr/local/selinux/lib(|/.*) system_u:object_r:lib_t /usr/local/selinux/libexec(|/.*) system_u:object_r:lib_t /usr/local/selinux/bin/spasswd system_u:object_r:passwd_exec_t /usr/local/selinux/bin/schsh system_u:object_r:passwd_exec_t /usr/local/selinux/bin/schfn system_u:object_r:passwd_exec_t /usr/local/selinux/bin/newrole system_u:object_r:newrole_exec_t # # /var/run # /var/run(|/.*) system_u:object_r:var_run_t /var/run/utmp system_u:object_r:initrc_var_run_t /var/run/random-seed system_u:object_r:initrc_var_run_t /var/run/.*\.*pid <> # # /var/spool # /var/spool(|/.*) system_u:object_r:var_spool_t /var/spool/atspool(|/.*) system_u:object_r:at_spool_t /var/spool/cron system_u:object_r:cron_spool_t /var/spool/cron/.* system_u:object_r:user_cron_spool_t /var/spool/lpd(|/.*) system_u:object_r:lpd_spool_t /var/spool/mail(|/.*) system_u:object_r:mail_spool_t # # /var/log # /var/log(|/.*) system_u:object_r:var_log_t /var/log/wtmp system_u:object_r:wtmp_t /var/log/sendmail.st system_u:object_r:sendmail_var_log_t /var/log/cron system_u:object_r:cron_log_t /var/log/XFree86.* system_u:object_r:xserver_var_log_t /var/log/httpd(|/.*) system_u:object_r:httpd_log_files_t /var/log/sa(|/.*) system_u:object_r:var_log_sa_t # # IPSEC Defination # /etc/ipsec.secrets system_u:object_r:ipsec_file_t /usr/local/lib/ipsec(|/.*) system_u:object_r:sbin_t /usr/local/lib/ipsec/eroute system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/klipsdebug system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/pluto system_u:object_r:ipsec_exec_t /usr/local/lib/ipsec/spi system_u:object_r:ipsec_exec_t # # Persistent label mappings. # .*/\.\.\.security(|/.*) system_u:object_r:file_labels_t # # Lost and found directories. # .*/lost\+found(|/.*) system_u:object_r:lost_found_t